Knox IDF - First steps

.github/workflows/build/Dockerfile

@@ -38,6 +38,8 @@ ADD gateway-site.xml /knox-runtime/conf/gateway-site.xml
 ADD conf/topologies/knoxtoken.xml /knox-runtime/conf/topologies/knoxtoken.xml
 ADD conf/topologies/knoxldap.xml /knox-runtime/conf/topologies/knoxldap.xml
 ADD conf/topologies/remoteauth.xml /knox-runtime/conf/topologies/remoteauth.xml
+ADD conf/topologies/knoxidf-ldap.xml /knox-runtime/conf/topologies/knoxidf-ldap.xml
+ADD conf/topologies/knoxidf-token.xml /knox-runtime/conf/topologies/knoxidf-token.xml
 
 ADD conf/topologies/health.xml /knox-runtime/conf/topologies/health.xml
 

.github/workflows/build/Dockerfile.local

@@ -60,6 +60,8 @@ ADD conf/topologies/knoxtoken.xml /knox-runtime/conf/topologies/knoxtoken.xml
 ADD conf/topologies/health.xml /knox-runtime/conf/topologies/health.xml
 ADD conf/topologies/knoxldap.xml /knox-runtime/conf/topologies/knoxldap.xml
 ADD conf/topologies/remoteauth.xml /knox-runtime/conf/topologies/remoteauth.xml
+ADD conf/topologies/knoxidf-ldap.xml /knox-runtime/conf/topologies/knoxidf-ldap.xml
+ADD conf/topologies/knoxidf-token.xml /knox-runtime/conf/topologies/knoxidf-token.xml
 
 
 RUN chown -R gateway /knox-runtime/

.github/workflows/build/conf/topologies/knoxidf-ldap.xml

@@ -0,0 +1,71 @@
+<?xml version="1.0" encoding="utf-8"?>
+<topology>
+    <gateway>
+      <provider>
+         <role>authentication</role>
+         <name>ShiroProvider</name>
+         <enabled>true</enabled>
+         <param>
+            <name>main.ldapRealm</name>
+            <value>org.apache.knox.gateway.shirorealm.KnoxLdapRealm</value>
+         </param>
+         <param>
+            <name>main.ldapRealm.userDnTemplate</name>
+            <value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
+         </param>
+         <param>
+            <name>main.ldapRealm.contextFactory.url</name>
+            <value>ldap://ldap:33389</value>
+         </param>
+         <param>
+            <name>main.ldapRealm.contextFactory.authenticationMechanism</name>
+            <value>simple</value>
+         </param>
+         <param>
+            <name>urls./knoxidf/api/v1/.well-known/openid-configuration</name>
+            <value>anon</value>
+         </param>
+         <param>
+            <name>urls./knoxidf/api/v1/client/register</name>
+            <value>anon</value>
+         </param>
+         <param>
+            <name>urls./knoxidf/api/v1/authorize/callback</name>
+            <value>anon</value>
+         </param>
+         <param>
+            <name>urls./knoxidf/api/v1/jwks</name>
+            <value>anon</value>
+          </param>
+         <param>
+            <name>urls./**</name>
+            <value>authcBasic</value>
+         </param>
+      </provider>
+      <provider>
+            <role>identity-assertion</role>
+            <name>Default</name>
+            <enabled>true</enabled>
+      </provider>
+    </gateway>
+
+    <service>
+        <role>KNOXIDF</role>
+        <param>
+            <name>knoxidf.knox.token.ttl</name>
+            <value>60000</value>
+        </param>
+        <param>
+            <name>knoxidf.knox.token.limit.per.user</name>
+            <value>-1</value>
+        </param>
+        <param>
+            <name>token.exchange.topology.name</name>
+            <value>knoxidf-token</value>
+        </param>
+        <param>
+            <name>user.params.provider.ldap.url</name>
+            <value>ldap://ldap:33389</value>
+        </param>
+    </service>
+</topology>

.github/workflows/build/conf/topologies/knoxidf-token.xml

@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding="utf-8"?>
+<topology>
+    <gateway>
+      <provider>
+         <role>federation</role>
+         <name>JWTProvider</name>
+         <enabled>true</enabled>
+         <param>
+            <name>knox.token.exp.server-managed</name>
+            <value>true</value>
+         </param>
+      </provider>
+      <provider>
+            <role>identity-assertion</role>
+            <name>Default</name>
+            <enabled>true</enabled>
+      </provider>
+    </gateway>
+
+    <service>
+        <role>KNOXIDF</role>
+        <param>
+           <name>knoxidf.knox.token.ttl</name>
+           <value>86400000</value>
+        </param>
+        <param>
+            <name>knoxidf.knox.token.limit.per.user</name>
+            <value>-1</value>
+        </param>
+        <param>
+           <name>user.params.provider.ldap.url</name>
+           <value>ldap://ldap:33389</value>
+        </param>
+    </service>
+    <service>
+        <role>KNOXTOKEN</role>
+        <param>
+            <name>knox.token.ttl</name>
+            <value>60000</value>
+        </param>
+        <param>
+            <name>knox.token.limit.per.user</name>
+            <value>-1</value>
+        </param>
+    </service>
+</topology>

.github/workflows/compose/docker-compose.yml

@@ -25,8 +25,8 @@ services:
       context: ../build
       dockerfile: Dockerfile.local
       args:
-        knoxurl: ${knoxurl:-https://github.com/apache/knox.git}
-        branch: ${branch:-master}
+        knoxurl: ${knoxurl:-https://github.com/smolnar82/knox.git}
+        branch: ${branch:-knox_idf_smolnar}
     image: apache/knox-dev:local-${GITHUB_RUN_ID:-local}-${GITHUB_RUN_ID:-local}
 
   ldap:

.github/workflows/publish-test-results.yml

@@ -46,5 +46,5 @@ jobs:
           commit: ${{ github.event.workflow_run.head_sha }}
           event_file: artifacts/Event File/event.json
           event_name: ${{ github.event.workflow_run.event }}
-          files: "artifacts/**/*.xml"
+          files: "artifacts/test-results/**/*.xml"
 

.github/workflows/tests.yml

@@ -82,13 +82,43 @@ jobs:
           # Run the tests service defined in docker-compose.yml
           docker compose -f ./.github/workflows/compose/docker-compose.yml up --exit-code-from tests tests
 
+      - name: Collect Knox Logs and Conf
+        if: always()
+        run: |
+          mkdir -p .github/workflows/artifacts/knox-logs
+          mkdir -p .github/workflows/artifacts/knox-conf
+          docker compose -f ./.github/workflows/compose/docker-compose.yml cp knox:/knox-runtime/logs .github/workflows/artifacts/knox-logs
+          docker compose -f ./.github/workflows/compose/docker-compose.yml cp knox:/knox-runtime/conf .github/workflows/artifacts/knox-conf
+
       - name: Upload Test Results
         if: (!cancelled())
         uses: actions/upload-artifact@v4
         with:
           name: test-results
           path: .github/workflows/tests/test-results.xml
 
+      - name: Archive Knox Logs
+        if: always()
+        run: tar -cvzf knox-logs.tar.gz -C .github/workflows/artifacts/knox-logs .
+
+      - name: Upload Knox Logs
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: knox-logs
+          path: knox-logs.tar.gz
+
+      - name: Archive Knox Conf
+        if: always()
+        run: tar -cvzf knox-conf.tar.gz -C .github/workflows/artifacts/knox-conf .
+
+      - name: Upload Knox Conf
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: knox-conf
+          path: knox-conf.tar.gz
+
       - name: Upload Event File
         uses: actions/upload-artifact@v4
         with:

.github/workflows/tests/common_utils.py

@@ -15,6 +15,8 @@
 
 from __future__ import annotations
 
+import base64
+import json
 import os
 import unittest
 from typing import Any
@@ -66,3 +68,32 @@ def collect_actor_group_values(
 def assert_hsts_header(testcase: unittest.TestCase, response: requests.Response) -> None:
     testcase.assertIn(HSTS_HEADER_NAME, response.headers)
     testcase.assertEqual(response.headers[HSTS_HEADER_NAME], HSTS_EXPECTED_VALUE)
+
+def get_token_id_display_text(uuid):
+    """
+    Format the token ID for display, matching Knox's getTokenIDDisplayText logic.
+    """
+    if uuid and len(uuid) == 36 and "-" in uuid:
+        first_dash = uuid.find('-')
+        last_dash = uuid.rfind('-')
+        return f"{uuid[:first_dash]}...{uuid[last_dash+1:]}"
+    return uuid
+
+
+def get_token_claim(token, claim):
+    """
+    Decodes a JWT token and returns the value of the specified claim.
+    """
+    try:
+        payload_b64 = token.split('.')[1]
+        # URL-safe base64 decoding usually needs padding adjustment
+        missing_padding = len(payload_b64) % 4
+        if missing_padding:
+            payload_b64 += '=' * (4 - missing_padding)
+        # Use urlsafe_b64decode just in case, though standard b64decode often works with padding
+        payload_json = base64.urlsafe_b64decode(payload_b64).decode('utf-8')
+        payload = json.loads(payload_json)
+        return payload.get(claim)
+    except Exception as e:
+        print(f"Failed to decode token for claim '{claim}': {e}")
+        return None